If you haven’t used an authenticator app before, allow a little time to complete the steps. It’s not difficult and you’ll learn a process that’s easily used with Facebook, your email accounts, Amazon, and more.
How to secure your Twitter account for free
Twitter announced it will charge users who want to use SMS two-factor authentication, but there’s a safer, no-cost option
February 22, 2023 at 6:00 a.m. EST
If you’ve heard us say it once, you’ve heard it a thousand times: Turn on two-factor authentication. Do it for every important account you have, especially banking, email and social media. Do it to avoid hacks, and do it now.
Last week, Twitter announced it would no longer let people use the most common form of two-factor authentication — a numeric code sent over text message — free. Instead, users are being told to either sign up for the $8-a-month Twitter Blue service or switch to a different type of two-factor authentication by March 20.
If you have a Twitter account, even if you don’t post much, you should take steps to secure it in the coming weeks. Don’t worry — it won’t cost a dime. Here’s everything you need to know.
What to do if you lose your phone and can’t access your accounts
WHAT TO KNOW
- What is Twitter changing, and why?
- What is two-factor authentication?
- Does this change make me more or less secure?
- What are security experts worried about?
- Do I need to sign up for Twitter Blue?
- What should I do to stay secure?
Show all questions
What is Twitter changing, and why?
Starting March 20, Twitter users will no longer be able to use text-based two-factor authentication feature (also called 2FA) to protect their free accounts on the service. Going forward, the option only will be available to people who pay $8 a month for its Twitter Blue service. Twitter is instructing users to either sign up for Twitter Blue or disable the text-based 2FA before that deadline.
Since Elon Musk took over Twitter last October, the company has been scrambling to find ways to make and save money. It has laid off thousands of workers and pushed Twitter Blue, which lets users pay monthly for a verification check mark. This change could save the company money. Musk has claimed text verification, specifically fraud by phone companies, is costing the company $60 million a year.
What is two-factor authentication?
A strong, unique password is important, but it’s no longer enough to protect most online accounts. The next level of security is adding two-factor authentication, which lets a site or service confirm your identity through a separate entity.
There are three common methods of authentication: sending a code to your phone, using a code that updates every minute from an authenticator app on your device, or inserting or tapping a physical security key. Criminals might be able to steal or guess your password, or find it in a data breach, but they still won’t be able to log into your account without this extra piece of information.
Does this change make me more or less secure?
Authentication over text is considered the most convenient and widely adopted option, in part because it uses existing text message apps. It is, without a doubt, safer than only using a password. Experts say it’s not as secure as using an authentication app or security key because of known hacks such as SIM swapping or social engineering attempts to get people to share the codes. If every Twitter user makes the switch to an authentication app, more people will be safer. However, experts worry about the opposite happening.
What are security experts worried about?
Instead of a sudden requirement to switch with a deadline a month away, Twitter could have used nudges to encourage people to make the switch over a long period of time, experts say. Twitter’s approach could result in more people going without any secondary verification.
“The likely thing that’s going to happen is most users are just going to kind of dismiss this warning,” says William Budington, a senior staff technologist at the Electronic Frontier Foundation.
He also thinks it is an attempt by the company to try to make money off its fledgling Twitter Blue service. The change could also mistakenly lead Twitter Blue users to think they are safer than they are.
“They’re saying, ‘You pay us this extra money, and we’ll give you the convenience of being able to choose the less secure of these options,’ ” says Caroline Wong, chief strategy officer at San Francisco-based cybersecurity firm Cobalt.
Do I need to sign up for Twitter Blue?
No. In fact, signing up for Twitter Blue primarily to get verification codes over text message might make you less secure than the people moving to app-based verification. That’s if, and only if, free users take the extra step to set up an authentication app.
“Download the authenticator app and save yourself $8 bucks a month, unless the other benefits are worth it to you,” Wong recommends.
What should I do to stay secure?
You are going to disable 2FA on Twitter and start using an authentication app. It’s easy; we’ll show you exactly what to do.
- Download a reputable authentication app. Twilio’s Authy and Google Authenticator (iOS, Android) are both solid choices and are available free on Android and iOS. There are other options such as Raivo, 1Password, iOS’s AutoFill and Microsoft’s Authenticator app. If you’re already using one of these apps for other logins, it should be easy to add your Twitter account. Just make sure you name all the individual accounts.
- Open Twitter on a browser on your computer. If you set it up on a phone, it might default you to the built-in authenticator app such as AutoFill, so a browser is easier for setting up non-default options. Go to Settings and support → Settings and privacy → Security and account access → Security → Two-factor authentication. (You can also click this link to go straight there.)
- You will see three options. We are going to set up an authentication app only, but you can also add a physical security key such as a Yubikey from this page. Make sure “Text message” is not selected and “Authentication app” is selected. Enter your password.
- Follow the prompts to set up the app you installed. Start by clicking Link app and open your chosen app to read the Twitter QR code. Twitter will also give you a single-use backup code that you should save in your password manager of choice.
- You need to take an additional step to remove your phone number from Twitter, which no longer needs it for security. Go to Settings and support → Settings and privacy → Your account → Account information (you may need to add your password) → Phone. Select “Delete phone number.”
Now whenever you need to log on to Twitter from a new device or browser, open your authenticator app and enter the numeric code listed for Twitter.
Can I just ignore this?
If you do nothing, just carry on with your life and never visit your Twitter settings, you will run into one problem: You may be locked out of your account. Twitter says in a support post that people who do not disable 2FA “will be prompted to disable it before you can continue to use your account.” If you do take that quick step and disable it, you could soon run into other issues like having your account compromised. The safest move is to set up an authentication app.